As always, the primary ongoing assurance activity is the review of incidents conducted by the security program to determine if the program is efficiently and effectively protecting the scientific mission of the Laboratory. This ongoing review suggests that the program is functioning well and we continue to make adjustments to controls and policies as required by the environment.
1.0 Risks
1.1 Drive-by-download infections
Drive-by infections continue to decrease. But they continue to be a source of risk given the low barrier to conducting an attack, difficulty defending, and the large number of potentially vulnerable systems. Our existing mitigations (broad deployment of BigFix, isolating unpatched computers, and RPZ) continue to manage this risk to an acceptable level.
1.2 Continued Threats from Advanced Persistent Threat (APT)
This is an ongoing top risk, although we have not witnessed any significant activity in the last trimester.
1.3 Emergent Security Risks and Evolving Threats
Heartbleed: LBL quickly responded to the heartbleed vulnerability and is continuously scanning for both vulnerable machines and attempts to exploit the vulnerability. Embedded vendor provided OSes proved the most challenging in our response, with regular OS/application stack vendors providing patches relatively quickly. LBL was recognized in the NYTimes for its ability to go back through packet captures over the past six months to look for signs of the infection before it was announced. In doing so, LBL was one of the only sites to publicly describe its findings in this area and our investments in pervasive visibility at the perimeter and inside the network helped not only to protect our site, but also helped to protect others.
Supervisory Control and Data Acquisition (SCADA) systems. We continue to work with the Bro research team under the NSF grant to develop tools for monitoring SCADA. We are currently studying and characterizing the Backnet protocol on our facilities network that includes all of our Johnson Control systems (building automation system).
2.0 LBNL Performance
2.1 Business Plan Performance
- T1Border Router. Our new border router is live with increased block capacity (amount and duration). This new blocking capacity has allowed us to easily block new risks (IPMI, NTP) as well as extend our blocking to additional protocols.
- T2 Communication and Outreach.
We hosted the annual Network Security Monitoring’s conference for DOE, which included a two day Bro workshop.
We’ve held a series of information sharing activities with SLAC’s cyber and network groups and have helped them deploy Bro.
- CPP Sensors. Live and active.
- PII Review. Steady progress is happening on CATS from the PII review.
- New: UC is requiring the identification of a Privacy Official from each campus/location to coordinate information and autonomy privacy activities at each site. LBL has identified this individual (Adam Stone, Deputy CIO for Technology and Policy), and will be developing additional programmatic activities over the next year.
- New: Windows XP End of Life Activities continue apace.
- New: Per Direction from BSO, Lost Laptop Reporting to JC3 is in place.
2.2 Audits
Office of Science S&S Review: While cyber was not an explicit part of this review, we spent substantial time engaged around LBL's implementation/variances around the OUO Order. The Review Team had no findings against our implementation, and generally expressed that we appeared to have sufficient protections for information protection. One area noted for improvement is the marking and control of documents related to specific operational details of physical security systems. This area is already covered by UC policies for the campuses and once the report is finalized, we will adopt that set of criteria as appropriate.
Annual Financial Controls/FISMA Followup: LBL was not selected for a full review this year, resulting in cost savings to the Laboratory of at least $150k in staff time. We have submitted information for our follow up on last year's finding that one individual had access to the datacenter who did not need it (though he didn't know he had it and he would have been caught at the next review and the risk of having access for an employee is dimishingly low when you consider compensating controls like cameras, etc). We are awaiting information from KPMG/IG on our followups.\
Ongoing: IT Hardware, Cloud
3.0 PEMP Goals, Objectives, Notable Outcomes
None defined.
4.0 Noteworthy Accomplishments
No new noteworthy accomplishments.